Third Party Patch Roundup – March 2018

Time marches on, and March is over. You know what that means: it’s time once again to review the patches released this month by software companies other than Microsoft (whose updates we cover on the day following their usual release schedule on the second Tuesday of the month).

As the month wound down, news broke about yet another high profile, large-scale data breach that may have compromised up to 150 million users of the popular MyFitnessPal app. Its current owner, Urban Armour, notified its users and the public on March 25th that some information had been accessed. The good news this time is that only usernames, email addresses, and MFP passwords were affected, and most (but not all) of the passwords were encrypted with bcrypt (some smaller percentage were using SHA-1, which is much less secure).  

I have been an MFP user for over a decade and love the app’s calorie-tracking functionality. I use only the free version and have never given the app my credit card data, and it doesn’t collect any especially sensitive information such as social security numbers or government ID numbers, so this is a bit less worrisome than, for example, the Equifax breach last year that potentially exposed so much personal data. Although I don’t particularly want the world to know my weight or what I’ve been eating for dinner for the last many years, that doesn’t threaten my financial well-being.

Nonetheless, this latest breach reminds us of the importance of doing everything we can to protect the information that we store on or transmit via our computers and mobile devices, and one of the most vital elements in that process is to apply security updates as quickly as possible – even knowing that sometimes good patches go bad and cause problems.

So let’s move on to this month’s third-party patch releases and look at what types of critical vulnerabilities they fix.

Apple

February was a light patch month for Apple with only four, all of which addressed the same single vulnerability.  This month we have double the number, although we went almost all month without any. All eight updates were released on March 29th.

• iOS 11.3 for iPhone 5 and above, iPad Air and above, and iPod Touch gen six addresses forty-four separate vulnerabilities. The largest number of these are in the WebKit component. Impacts range from exposure of email address to elevated privileges, denial of service, and arbitrary code execution with kernel access.
• watchOS 4.3 for all models of Apple watch addresses many of the same vulnerabilities as the iOS update, with the same ramifications.
• tvOS 11.3 for Apple TV 4th generation and 4K addresses many of the same vulnerabilities as the iOS update, with the same ramifications.
• Xcode 9.3 for macOS High Sierra addresses multiple issues in LLVM (the modular and reusable compiler and toolchain technologies used to develop compiler front ends and back ends), which are described in CVE-2018-4164.
• iTunes 12.7.4 for Windows, specifically for Windows 7 and above, addresses a buffer overflow issue that could lead to elevation of privileges, along with multiple vulnerabilities in the WebKit component that include memory corruption issues that could lead to arbitrary code execution.
• Security update 2018-002 for macOS High Sierra and OS X El Capitan addresses thirty-five vulnerabilities in many different components of the desktop operating systems, including issues that could lead to arbitrary code execution, elevated privileges, arbitrary command execution spoofing, keystroke logging, unauthorized reading of restricted memory, interception of encrypted email contents, bypass of code signing enforcement, launching of applications, mounting of disk images, denial of service, and information disclosure.
• Safari 11.1 for macOS Sierra and High Sierra, and OS X El Capitan addresses twenty-three vulnerabilities, the largest number of which are in the WebKit component, and which include cross-origin data infiltration, denial of service, cross-site scripting, arbitrary code execution, and address bar spoofing.
• iCloud for Windows 7.4 for Windows 7 and above addresses twenty vulnerabilities, the largest number of which are in the Web Kit component, and which include most of the same issues as addressed in Safari 11.1.

For more information about the current and past patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe issued four security bulletins in February. This month, we have only three updates bulletins and no advisories. All three were issued on Adobe’s regularly scheduled Patch Tuesday, on March 13th.

• APSB18-05 is an update for Adobe Flash Player for Windows, Mac OS, Linux, and Chrome OS that addresses two remote code execution vulnerabilities. One is a use-after-free issue, and the other is a type confusion issue. Both can lead to remote code execution and are rated critical, and the bulletin is ranked as a priority 2.
• APSB18-06 is an update for Adobe Connect, which is software used to create information and general presentations, online training materials, web conferencing, learning modules, and user desktop sharing. It addresses two vulnerabilities, both of which are rated important. One is an OS command injection issue that could result in arbitrary file deletion, and the other is an unrestricted SWF file upload issue that could result in information disclosure. The bulletin is ranked priority 3.
• APSB18-07 is an update for Adobe Dreamweaver CC version 18.0 and earlier running on Windows that addresses one vulnerability, which can lead to arbitrary code execution and is rated critical. It is an OS Command injection issue. The bulletin is ranked priority 3.

For more information, see the security bulletin summary at
https://helpx.adobe.com/security.html

Google

Google released a new stable channel update for the Chrome browser desktop version running on Windows, Mac, and Linux on March 20, version 65.0.3325.181. The update contains one security fix.

Google released a new stable channel update for Chrome OS on March 23, version 65.0.3325.184 for most Chrome OS devices. It contains security updates.

For more information about both of the above, see the details in the Chrome Releases blog at https://chromereleases.googleblog.com/search?updated-max=2018-03-22T16:49:00-07:00&max-results=10

Google released the March security updates for Android-based Pixel and Nexus devices, with a total of 21 issues addressed in the revised version of the patch that was issued on March 5. These include critical issues, with the most severe having the potential for arbitrary code execution.

For more information, see this article: https://9to5google.com/2018/03/05/android-march-18-security-patch-pixel-nexus/

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July, and October.  The most recent critical patch update was released on January 16, and the next release is scheduled for April 17.

For more information, see: https://www.oracle.com/technetwork/topics/security/alerts-086861.html

Mozilla

• Firefox v. 59.0.2 was released March 26. Mozilla’s most recent release of the Firefox browser contains a fix for a single vulnerability rated as high severity: a use-after-free issue in compositor that could result in a potentially exploitable crash.
• Firefox 59.0.1 was released March 16. It contains fixes for two critical vulnerabilities, both of which are out of bounds memory write issues.
• Firefox 59 was released on March 13.  It contains fixes for two critical vulnerabilities, four high severity vulnerabilities, seven rated moderate, and five rated low. The most serious are memory safety bugs that could be exploited to run arbitrary code.

For more information, see Security Advisories for Firefox at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox59.  

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (March 30), Ubuntu has issued forty separate security advisories. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of advisories and updates.

• USN-3531-3: intel-microcode update. Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via side-channel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory.
• USN-3545-1: Thunderbird vulnerabilities Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service or execute arbitrary code.
• USN-3612-1: librelp vulnerability Bas van Schaik and Kevin Backhouse discovered that librelp incorrectly handled checking certain x509 certificates. A remote attacker able to connect to rsyslog could use this issue to execute arbitrary code.
• USN-3611-1: OpenSSL vulnerability It was discovered that OpenSSL incorrectly handled certain ASN.1 types. A remote attacker could use this issue to cause a denial of service.
• USN-3610-1: ICU vulnerability It was discovered that ICU incorrectly handled certain calendars. If an application using ICU processed crafted data, a remote attacker could cause it to crash, leading to a denial of service.
• USN-3609-1: Firefox vulnerability A use-after-free was discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service or execute arbitrary code.
• USN-3608-1: Zsh vulnerabilities Richard Maciel Costa discovered that Zsh incorrectly handled certain inputs. An attacker could use this to cause a denial of service. (CVE-2018-1071) It was discovered that Zsh incorrectly handled certain files. An attacker could use this to execute arbitrary code.
• USN-3607-1: Screen Resolution Extra vulnerability It was discovered that Screen Resolution Extra was using PolicyKit in an unsafe manner. A local attacker could potentially exploit this issue to bypass intended PolicyKit authorizations.
• USN-3606-1: LibTIFF vulnerabilities It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.
• USN-3595-2: Samba vulnerability USN-3595-1 fix a vulnerability in Samba. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Samba incorrectly validated inputs to the RPC spoolss service. An authenticated attacker could use this issue to cause the service to crash, resulting in a denial of service.
• USN-3605-1: Sharutils vulnerability It was discovered that Sharutils incorrectly handled certain files. An attacker could use this to execute arbitrary code.
• USN-3604-1: libvorbis vulnerability Richard Zhu discovered that libvorbis incorrectly handled certain sound files. An attacker could use this to cause libvorbis to crash, resulting in denial of service, or possibly execute arbitrary code.
• USN-3603-2: Paramiko vulnerability USN-3603-1 fixed a vulnerability in Paramiko. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Matthijs Kooijman discovered that Paramiko’s SSH server implementation did not properly require authentication before processing requests.
• USN-3603-1: Paramiko vulnerability Matthijs Kooijman discovered that Paramiko’s SSH server implementation did not properly require authentication before processing requests. An unauthenticated, remote attacker could use this to execute arbitrary code.
• USN-3602-1: LibTIFF vulnerabilities  It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.
• USN-3601-1: Memcached vulnerability It was discovered that Memcached incorrectly handled reusing certain items. A remote attacker could use this issue to cause Memcached to crash, resulting in a denial of service.
• USN-3600-1: PHP vulnerabilities It was discovered that PHP incorrectly handled certain stream metadata. A remote attacker could use this issue to set arbitrary metadata. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-10712) It was discovered that PHP incorrectly handled the PHAR 404 error page.
• USN-3599-1: Firefox vulnerability An out-of-bounds write was discovered when processing Vorbis audio data. If a user were tricked into opening a specially crafted website, an attacker could exploit this to cause a denial of service or execute arbitrary code.
• USN-3598-1: curl vulnerabilities Phan Thanh discovered that curl incorrectly handled certain FTP paths. An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2018-1000120) Dario Weisser discovered that curl incorrectly handled certain LDAP URLs. An attacker could use this issue to cause a denial of service.
• USN-3597-2: Linux kernel (HWE) vulnerabilities USN-3597-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS. USNS 3541-2 and 3523-2 provided mitigations for Spectre and Meltdown.
• USN-3597-1: Linux kernel vulnerabilities USNS 3541-1 and 3523-1 provided mitigations for Spectre and Meltdown (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) for the i386, amd64, and ppc64el architectures in Ubuntu 17.10. This update provides the corresponding mitigations for the arm64 architecture.
• USN-3596-1: Firefox vulnerabilities Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash or opening new tabs, escape the sandbox, bypass same-origin restrictions, and obtain sensitive information.
• USN-3595-1: Samba vulnerabilities Björn Baumbach discovered that Samba incorrectly validated permissions when changing account passwords via LDAP. An authenticated attacker could use this issue to change the password of other users, including administrators, and perform actions as those users.
• USN-3594-1: Linux kernel vulnerability USN-3542-1 mitigated CVE-2017-5715 (Spectre Variant 2) for the amd64 architecture in Ubuntu 14.04 LTS. This update provides the compiler-based retpoline kernel mitigation for the amd64 and i386 architectures.
• USN-3592-2: ClamAV vulnerabilities USN-3592-1 fixed several vulnerabilities in ClamAV. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that ClamAV incorrectly handled parsing certain PDF files. A remote attacker could use this issue to cause ClamAV to crash, resulting in a denial of service.
• USN-3593-1: Zsh vulnerabilities It was discovered that Zsh incorrectly handled certain environment variables. An attacker could use this issue to gain privileged access to the system. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-10070) It was discovered that Zsh incorrectly handled certain inputs. An attacker could use this to execute arbitrary code.
• USN-3592-1: ClamAV vulnerabilities It was discovered that ClamAV incorrectly handled parsing certain PDF files. A remote attacker could use this issue to cause ClamAV to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2018-0202) Hanno Böck discovered that ClamAV incorrectly handled parsing certain XAR files.
• USN-3579-3: LibreOffice regression USN-3579-1 fixed a vulnerability in LibreOffice. After upgrading, it was no longer possible for LibreOffice to open documents from certain locations outside of the user’s home directory. This update fixes the problem. We apologize for the inconvenience.
• USN-3591-1: Django vulnerabilities James Davis discovered that Django incorrectly handled certain template filters. A remote attacker could use this issue to cause Django to consume resources, resulting in a denial of service.
• USN-3590-1: Irssi vulnerabilities It was discovered that Irssi incorrectly handled certain empty nicknames. An attacker could use this issue to cause a denial of service. (CVE-2018-7050) It was discovered that Irssi incorrectly handled certain nicknames. An attacker could use this to access sensitive information.
• USN-3589-1: PostgreSQL vulnerability It was discovered that PostgreSQL incorrectly handled certain settings. An attacker could use this issue to execute arbitrary code.
• USN-3585-1: Twisted vulnerability It was discovered that Twisted incorrectly handled certain HTTP requests. An attacker could use this issue to execute arbitrary code.
• USN-3588-1: Memcached vulnerabilities Daniel Shapira discovered an integer overflow issue in Memcached. A remote attacker could use this to cause a denial of service (daemon crash). (CVE-2017-9951) It was discovered that Memcached listened to UDP by default. A remote attacker could use this as part of a distributed denial of service attack. (CVE-2018-1000115)
• USN-3587-1: Dovecot vulnerabilities It was discovered that Dovecot incorrectly handled parsing certain email addresses. A remote attacker could use this issue to cause Dovecot to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2017-14461) It was discovered that Dovecot incorrectly handled TLS SNI config lookups.
• USN-3575-2: QEMU regression USN-3575-1 fixed vulnerabilities in QEMU. The fix for CVE-2017-11334 caused a regression in Xen environments. This update removes the problematic fix pending further investigation. We apologize for the inconvenience. Original advisory details: It was discovered that QEMU incorrectly handled guest ram.
• USN-3586-1: DHCP vulnerabilities Konstantin Orekhov discovered that the DHCP server incorrectly handled a large number of concurrent TCP sessions. A remote attacker could use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.